blob: 7f6766c11fcc906b61b5ebcc0c2877e6de454c8d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
#!/bin/bash
set -e
prompt_with_default() {
local prompt_message="$1"
local default_value="$2"
read -p "$prompt_message [$default_value]: " input
echo "${input:-$default_value}"
}
DNS_ENDPOINT=$(prompt_with_default "Enter DNS endpoint" "https://hatecomputers.club/dns")
BIND_FILE=$(prompt_with_default "Enter bind file path" "roles/nameservers/templates/db.simponic.xyz.j2")
SERVICE_TITLE=$(prompt_with_default "Enter service title" "whois simponic.")
SERVICE=$(prompt_with_default "Enter service name" "whois")
SERVICE_PORT=$(prompt_with_default "Enter service port" "8466")
SERVICE_REPO=$(prompt_with_default "Enter service repository URL" "git.simponic.xyz/simponic/$SERVICE")
SERVICE_ORIGIN=$(prompt_with_default "Enter service origin URL" "git@git.simponic.xyz:simponic/$SERVICE")
INTERNAL=$(prompt_with_default "Is the service internal? (yes/no)" "no")
SERVICE_HOST=$(prompt_with_default "Enter service host" "ryo")
PACKAGE_PATH=$(prompt_with_default "Enter package path" "$HOME/git/simponic/$SERVICE")
HATECOMPUTERS_API_KEY=$(prompt_with_default "Enter hatecomputers API key (paste from clipboard)" "$(pbpaste)")
function render_template() {
cp -r template $PACKAGE_PATH
ggrep -rlZ "{{ service }}" $PACKAGE_PATH | xargs -0 gsed -i "s/{{ service }}/$SERVICE/g"
ggrep -rlZ "{{ service_host }}" $PACKAGE_PATH | xargs -0 gsed -i "s/{{ service_host }}/$SERVICE_HOST/g"
ggrep -rlZ "{{ service_repo }}" $PACKAGE_PATH | xargs -0 gsed -i "s/{{ service_repo }}/$(echo $SERVICE_REPO | sed 's/\//\\\//g')/g"
ggrep -rlZ "{{ service_port }}" $PACKAGE_PATH | xargs -0 gsed -i "s/{{ service_port }}/$SERVICE_PORT/g"
ggrep -rlZ "{{ service_title }}" $PACKAGE_PATH | xargs -0 gsed -i "s/{{ service_title }}/$SERVICE_TITLE/g"
}
function test_and_commit_code() {
cd $PACKAGE_PATH
go fmt ./...
go get
go mod tidy
go build
go test -v ./...
echo "everything looks good, can you make a repo at https://$SERVICE_REPO (press enter when done)"
read
echo "cool. now, please sync it with drone (https://drone.internal.simponic.xyz/simponic/$SERVICE). (press enter when done)"
read
git init
git add .
git commit -m "initial commit by simponic-infra"
git checkout -B main
git remote add origin $SERVICE_ORIGIN
git push -u origin main
cd -
}
function add_dns_records() {
if [[ "$INTERNAL" = "yes" ]]; then
name="$SERVICE.internal.simponic.xyz."
content="$SERVICE_HOST.internal.simponic.xyz."
curl -H "Authorization: Bearer $HATECOMPUTERS_API_KEY" \
-F "type=CNAME&name=$name&content=$content.internal.simponic.xyz.&ttl=43200&internal=on" \
$DNS_ENDPOINT
else
name="$SERVICE.simponic.xyz."
content="$SERVICE_HOST.simponic.xyz."
gsed -i "s|;; CNAME Records|;; CNAME Records\n$name\t43200\tIN\tCNAME\t$content|" $BIND_FILE
fi
}
function add_nginx_config() {
endpoint="$SERVICE.simponic.xyz"
destination="roles/webservers/files/$SERVICE_HOST"
if [[ $INTERNAL = "yes" ]]; then
ednpoint="$SERVICE.internal.simponic.xyz"
destination="roles/private/files/$SERVICE_HOST"
else
mkdir -p $destination
echo "server {
listen 443 ssl;
server_name $endpoint;
ssl_certificate /etc/letsencrypt/live/$endpoint/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$endpoint/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$endpoint/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:$SERVICE_PORT;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \"upgrade\";
proxy_set_header Host \$server_name;
proxy_buffering off;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$http_x_forwarded_proto;
add_header Strict-Transport-Security \"max-age=15552000; includeSubDomains\" always;
}
}" > "$destination/https.$endpoint.conf"
echo "server {
listen 80;
server_name $endpoint;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files \$uri \$uri/ =404;
}
location / {
rewrite ^ https://$endpoint\$request_uri? permanent;
}
}" > "$destination/http.$endpoint.conf"
fi
}
function create_role() {
printf "\n[$SERVICE]\n$SERVICE_HOST ansible_user=root ansible_connection=ssh" >> inventory
mkdir -p roles/$SERVICE/tasks
mkdir -p roles/$SERVICE/templates
cp $PACKAGE_PATH/docker-compose.yml roles/$SERVICE/templates/docker-compose.yml.j2
echo "---
- name: ensure $SERVICE docker/compose exist
file:
path: /etc/docker/compose/$SERVICE
state: directory
owner: root
group: root
mode: 0700
- name: ensure $SERVICE db exist
file:
path: /etc/docker/compose/$SERVICE/db
state: directory
owner: root
group: root
mode: 0777
- name: build $SERVICE docker-compose.yml.j2
template:
src: ../templates/docker-compose.yml.j2
dest: /etc/docker/compose/$SERVICE/docker-compose.yml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: daemon-reload and enable $SERVICE
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@$SERVICE" > roles/$SERVICE/tasks/main.yml
echo "- name: deploy $SERVICE
hosts: $SERVICE
roles:
- $SERVICE" > deploy-$SERVICE.yml
}
render_template
test_and_commit_code
add_dns_records
add_nginx_config
create_role
|
